The decision by the United Kingdom to leave the European Union will soon launch one of the largest policy undertakings ever, as British leaders and diplomats race against a two-year deadline to negotiate new arrangements with the European Union and new treaties with other countries previously governed by agreements made through the EU. While the first order of business will be ensuring British citizens can travel abroad and British companies can access foreign markets, in today’s digital economy there should also be a significant focus on how the UK will ensure the free movement of data both internally and across borders. Fortunately, this is one of the bright spots for the British economy as the UK will now have an opportunity to replace the stringent EU data protection regulations with a more forward-looking set of rules that enable data-driven innovation and in so doing cement the country’s leadership in the digital economy.

The UK has long been a lonely voice of reason in the EU, arguing for light-touch regulation of the digital economy even as countries such as France and Germany have overruled it. The result has been that while the digital economy is stagnant in the EU, it is thriving in the UK. Indeed, as a share of GDP, the Internet economy in 2016 is expected to reach 12 percent in the UK, far above the 3 percent or 4 percent in France and Germany respectively. Yet some in the UK want to continue to bind the British economy to EU-style data regulations out of fear that failing to do so would create a regulatory headache for British companies doing business in the EU. The UK’s Information Commissioner’s Office even released a statement immediately following the results of the referendum calling for “international consistency around data protection laws.” While it is true that British companies need to be able to process personal data of employees and customers in the EU, there are multiple paths to achieve that goal, and mirroring EU rules is not the best option.

First, the EU’s General Data Protection Regulation (GDPR), set to come into effect in 2018, will likely further limit digital innovation in EU member nations. The GDPR establishes strict rules on how companies can collect and use personal information. For example, the rules mandate that companies specify how they will use data before they collect it, a requirement that by definition limits the type of experimentation and innovation that has become the hallmark of the data economy. In addition, the regulations allow for penalties of up to 4 percent of a company’s global revenue, which means that the private sector will be investing heavily in compliance to avoid violations. These expenses will not only divert funds from more useful product development and raise costs for consumers, but they will also force companies to become risk averse. The UK would be wise to protects its companies from the restrictions and penalties resulting from these types of heavy-handed, innovation-limiting regulations.

Second, even if the UK were to fully implement the GDPR, there is no guarantee that the EU would determine its data protection laws meet its adequacy standard—a necessary precondition for companies in the UK to continue processing European data as they do today. After all, the biggest hurdle in negotiating the successor to the U.S.-EU Safe Harbor agreement was not that the United States had a different style of data regulation, but rather that U.S. government surveillance programs purportedly put EU citizen privacy at risk. Yet, some European countries have passed more intrusive surveillance laws than those in the United States, such as those passed by France following the Charlie Hebdo terrorists attacks in Paris. However, the EU has not held its member states to the same standard as it does non-EU countries. The UK, which is set to pass its own controversial surveillance legislation, should not expect to receive a pass even if it adopts measures equivalent to the GDPR.

Rather than seeking an adequacy determination, the UK should take the approach pursued by most non-European countries and use other legal mechanisms, such as model contracts and binding corporate rules, to enable lawful transfers of personal data between the UK and EU member states. Or it could negotiate something akin to the Privacy Shield agreement which was established to allow for the exchange of data between the United States and the EU. Any of these approaches would allow UK policymakers to establish their own data protection rules that balance the right to privacy with other competing interests such as national security, economic prosperity, innovation, and public health while still maintaining free trade with Europe.

If the purpose of Brexit was to allow the UK to reassert core British values through its policies, then it should seize this opportunity to define a uniquely British solution to data protection rather than continuing down the stultifying path laid out by Brussels. Doing so would not only free British companies from the heavy compliance cost of the GDPR and allow them to better compete in the global market, but it would also establish confidence with investors that the UK is in fact emerging hub for the growing data economy.

Daniel Castro is the director of the Center for Data Innovation and vice president of the Information Technology and Innovation Foundation. Mr. Castro writes and speaks on a variety of issues related to information technology and internet policy, including data, privacy, security, intellectual property, internet governance, e-government, and accessibility for people with disabilities. His work has been quoted and cited in numerous media outlets, including The Washington Post, The Wall Street Journal, NPR, USA Today, Bloomberg News, and Businessweek. In 2013, Mr. Castro was named to FedScoop’s list of “Top 25 most influential people under 40 in government and tech.” In 2015, U.S. Secretary of Commerce Penny Pritzker appointed Mr. Castro to the Commerce Data Advisory Council.
Mr. Castro previously worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies, including the Securities and Exchange Commission (SEC) and the Federal Deposit Insurance Corporation (FDIC). In addition, Mr. Castro was a Visiting Scientist at the Software Engineering Institute (SEI) in Pittsburgh, Pennsylvania where he developed virtual training simulations to provide clients with hands-on training of the latest information security tools. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.